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Synthesis is the automatic construction of a system from its specification. In classical synthesis 
algorithms it is always assumed that the system is "constructed from scratch" rather than composed 
from reusable components. This, of course, rarely happens in real life. In real life, almost every 
non-trivial commercial software system relies heavily on using libraries of reusable components. 
Furthermore, other contexts, such as web-service orchestration, can be modeled as synthesis of a 
system from a library of components. 

In 2009 we introduced LTL synthesis from libraries of reusable components. Here, we extend 
the work and study synthesis from component libraries with "call and return" control flow structure. 
Such control-flow structure is very common in software systems. We define the problem of Nested- 
Words Temporal Logic (NWTL) synthesis from recursive component libraries, where NWTL is a 
specification formalism, richer than LTL, that is suitable for "call and return" computations. We 
solve the problem, providing a synthesis algorithm, and show the problem is 2EXPTIME-complete, 
as standard synthesis. 

1 Introduction 

The design of almost every non-trivial software system is based on using libraries of reusable com- 
ponents. Reusable components come in many forms: functions, objects, or others. Nevertheless, the 
basic idea of constructing systems from reusable components underlies almost all software construc- 
tion. Indeed, almost every system involves many sub-systems, each dealing with different engineering 
aspects and each requiring different expertise. In practice, the developer of a commercial product rarely 
develops all the required sub-systems herself. For example, a software application for an email client 
contains sub-systems for managing graphic user interface (as well as many other sub-systems). Rarely 
will a developer of the email-client system develop the basic graphic-user-interface functionality as part 
of the project. Instead, basic sub-systems functionality is usually acquired as a library, i.e., a collec- 
tion of reusable components that can be integrated into the system. The construction of systems from 
reusable components is extensively studied. Many examples for important work on the subject can be 
found in Sifakis' work on component-based construction [16 ] and de Alfaro and Henzinger's work on 
"interface-based design" 0]. Furthermore, other situations, such as web-service orchestration ll8l [731. 
can be viewed as the construction of systems from libraries of reusable components. 

Synthesis is the automated construction of a system from its specification. The basic idea is simple 
and appealing: instead of developing a system and verifying that it adheres to its specification, we would 
like to have an automated procedure that, given a specification, constructs a system that is correct by 
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construction. The modern approach to temporal synthesis was initiated by Pnueli and Rosner, who 
introduced LTL (linear temporal logic) synthesis 04]. In LTL synthesis, the specification is given in 
LTL and the system constructed is a finite-state transducer modeling a reactive system. In this setting 
of synthesis it is always assumed that the system is "constructed from scratch" rather than "composed" 
from reusable components. In 11121 . we introduced the study of synthesis from reusable components. We 
argued there that even when it is theoretically possible to design a sub-system from scratch, it is often 
desirable to use reusable components. The use of reusable components allows abstracting away most of 
the detailed behavior of the sub-system, and writing a specification that mentions only the aspects of the 
sub-system relevant for the synthesis of the system at large. 

A major concern in the study of synthesis from reusable components is the choice of a mathemat- 
ical model for the components and their composition. The exact nature of the reusable components in 
a software library may differ. The literature, as well as the industry, suggest many different types of 
components; for example, function libraries (for procedural programming languages) or object libraries 
(for object-oriented programming languages). Indeed, there is no one correct model encompassing all 
possible facets of the problem. The problem of synthesis from reusable components is a general prob- 
lem to which there are as many facets as there are models for components and types of composition. 
Components can be composed in many ways: synchronously or asynchronously, using different types of 
communications, and the like ifToll . 

As a basic model for a component, following [12], we abstract away the precise details of the com- 
ponent and model a component as a transducer, i.e., a finite-state machine with outputs. Transducers 
constitute a canonical model for reactive components, abstracting away internal architecture and focus- 
ing on modeling input/output behavior. In lfl2l . two models of composition were studied. In data-flow 
composition the output of one component is fed as input to another component. The synthesis problem 
for data-flow composition was shown to be undecidable. In control-flow composition control is held by a 
single component at every point in time; the composition of components amounts to deciding how control 
is passed between components, by setting which component receives control when another component 
relinquishes it. Control-flow is motivated by software (and web services) in which a single function is in 
control at every point during the execution. In |[T2l we focused on "goto" control flow, and proved that 
LTL synthesis in that setting is 2EXPTIME-complete. 

In this paper we extend that work and study a composition notion that relates to "call and return" 
control structure. "Call and return" control flow is very natural for both software and web services. An 
online store, for example, may "call" the PayPal web service, which receives control of the interaction 
with the user until it returns the control to the online store. To allow for "call and return" control-flow 
structure, we define a recursive component to be a transducer in which some of the states are designated 
as exit states. The exist states are partitioned into call states, and return states. Intuitively, a recursive 
component receives control when entering its initial state and relinquishes control when entering an 
exit state. When a call state is entered, the control is transferred from the component in control to the 
component that is being called by the component in control. When a return state is entered, the control 
is transferred from the component in control to the component that called it (i.e., control is returned). 
To model return values, each transducer has several return states. Each return state is associated with a 
re-entry state. Thus, each transducer has a single entry state, several re-entry states, several return states, 
and several call states. Composing recursive components amounts to matching call states with entry 
states and return states with re-entry states [j] 



It is possible to consider more complex models, for example, models in which there are several call values. The techniques 
presented here can be extended to deal with such models. 
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Dealing with "call and return" control flow poses two distinct conceptual difficulties. The first is 
the technical difficulty of dealing with a "call and return" system that has a pushdown store. When 
adapting the techniques of lfl2l . a run is no longer a path in a control-flow tree, but rather a traversal in a 
composition tree, in which a return corresponds to climbing up the tree. To deal with this difficulty we 
employ techniques used with 2- way automata |[T3l . A second difficulty has to do with the specification 
language. "Call and return" control-flow requires a richer specification language than LTL |5J|3]]. For 
example, one might like to specify that one function is only called when another function is in the 
caller's stack; or that some property holds for the local computations of some function. In recent years 
an elegant theory of these issues was developed, encompassing suitable specification formalisms, as 
well as semantic, automata- theoretic, and algorithmic issues (5]|3]|6). Here we use the specification 
language nested-words temporal logic (NWTL) [3], and the automata-theoretic tool of nested words 
Biichi automata (NWBA) EHH. 

We define here and study the NWTL recursive-library-component realizability and synthesis prob- 
lems. We show that the complexity of the problem is 2EXPTIME-complete (like standard synthesis 
and synthesis of "goto" components) and provide a 2EXPTIME algorithm for the problem. We use the 
composition-tree technique of |[T2l . in which a composition is described as an infinite tree. The chal- 
lenge here is that we need to find nested words in classical trees. While the connection between nested 
words and trees has been studied elsewhere, cf. ||2|, our work here is the first to combine nested- word 
automata with the classical tree-automata framework for temporal synthesis, using techniques developed 
for two-way automata lf3~3l ITtTI . 

2 Preliminaries 

Transducers: A transducer is a deterministic automaton with outputs; 3? = (Li,Lo,Q,qo,8,F,L), 
where: Lj is a finite input alphabet, Lo is a finite output alphabet, Q is a set of states, qo € Q is an 
initial state, 8 : Q x £/ — > Q is a transition function, F is a set of final states, and L : Q — > £q is an output 
function labeling states with output letters. For a transducer ST and an input word w = w\W2 ■ ■ ■ w n G 
a run, or a computation of on w is a sequence of states r = ro, r\ , . . . r n 6 Q" such that ro = qo and for 
every i € [n\ we have r,- = 5 (/•,•_ 

For a transducer 3F, we define 8* : Lj — > Q in the following way: 5*(e) = qo, and for w € Lj 
and a € £/, we have 8*(w ■ a) = 8(8*(w),o). A Z^-labeled £/-tree (£J,t) is regular if there exists a 
transducer 2F = (Li,Lo,Q,qo,8,L) such that for every w £ we have z(w) = L(8*(w)). A transducer 
2? outputs a letter for every input letter it reads. Therefore, for an input word wj G Lf, the transducer ST 
induces a word w € (£/ x Lo)°° that combines the input and output of & . The maximal computations of 
3? are those that exit at a final state in F or are of length CO. 

Nested Words, NWTL and NWBA: When considering a run in the "call and return" control-flow 
model, the run structure should reflect both the linear order of the execution and the matching between 
calls and their corresponding returns. For example, when a programmer uses a debugger to simulate a 
run, and the next command to be executed is a call, there are two natural meanings to "simulate next 
command": first, it is possible to execute the next machine command to be executed (i.e. jump into the 
called procedure). In debugger terminology this is "step into", and this meaning reflects the linear order 
of machine commands being executed. On the other hand, it is possible to simulate the entire computation 
of the procedure being called, i.e. every machine command from the call to its corresponding return. In 
compiler terminology this is "step over", and this meaning reflects the matching between calls and their 
returns. Thus, the structure of a run, with the matching between calls and returns, is richer then the 
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sequence of commands that reflects only the linear order. Relating to this richer structure is crucial for 
reasoning about recursive systems, and it should be reflected in the mathematical model of a run, in the 
formalism by which formal claims on runs are made, i.e., in the specification formalism. 

A run in a "call and return" model is a sequence of configurations, or a word, together with a match- 
ing relation that matches calls and their corresponding returns. The matching relation is nested, i.e. 
constrained to ensure that a return to an inner call appears before the return to an outer call. A formal 
definition appears below. The model of the run consists of both the word (encoding the linear order) and 
the matching relation. A word with nested matching is a nested word [6]. At the specification level, it 
should be possible to make formal claims regarding system that refer to the "call and return" structure 
(21 0. For example: one may want to argue about the value of some memory location as long as a 
function is in scope (i.e. during the subsequence of the computation between the call to the function 
and its corresponding return). Alternatively one may want to argue about the values of some local val- 
ues whenever some function is in control (that may correspond to several continuous subsequences of 
commands). Another example is arguing about the call stack whenever some function is in control (such 
as "whenever f is in control either g or h are on the call stack"). Several specification formalisms were 
suggested to reason about "call and return" computations (5] SHI. Here we use Nested Words Temporal 
Logic, (NWTL) [31, which is both expressive and natural to use. Finally, to reason about nested words, 
we use nested words BUchi automata (NWBA), which are a special type of automata that run on nested 
words EIH. Intuitively, in a standard infinite word, each letter has a single successor letter. Therefore, 
automata on standard words can be seen as being in some state q, reading a letter a and "sending" the 
next state q 1 to the successor letter a'. In a nested word, however, a letter a might have two "natural 
successors". First the letter a' following it in the linear sequence of execution, and second another letter 
a" that is matched to it by the "call and return" matching. A NWBA not only "sends" a state to the 
successor letter a, but also "sends" some information, named hierarchical symbol, to the matched letter 
a". The transition relation takes into account both the state and the hierarchical symbols. A formal 
definition of NWB As is presented below. 

We proceed with the formal definitions of nested words, the logic NWTL for nested words, and the 
automata NWBA running on nested words. The material presented below is taken from [3 ], which we 
recommend for a reader who is not familiar with nested words, their logic, or their automata. 

A matching on N or an interval [l,n] of N is a binary relation p. and two unary relations call and ret, 
satisfying the following: (1) if p{i,j) holds then call{i) and ret(j) hold and i < j; (2) if p(i,j) and p(i,f) 
hold then j = f and if p(i,j) and p(i',j) hold then i = i'; (3) if i < j and call(i) and ret(j) hold, then 
there exists i <k < j such that either p(i,k) or p(k,j). Let £ be a finite alphabet. A finite nested word 
of length n over £ is a tuple w = (w, p , call, ret) , where w = a\ . . . a n € £*, and (p , call, ret) is a matching 
on [l,n]. A nested ft)-word is a tuple w = (w,p, call, ret), where w = a\ ... € E ffl , and (p, call, ret) is a 
matching on N. We say that a position i in a nested word w is a call position if call(i) holds; a return 
position if ret(i) holds; and an internal position if it is neither a call nor a return. If p(i,j) holds, we say 
that i is the matching call of j, and j is the matching return of i, and write c(j) = i and r(i) = j. Calls 
without matching returns are pending calls. For a nested word w, and two positions i,j of w, we denote 
by w[i,j] the substructure of w (i.e., a finite nested word) induced by positions / such that i < I < j. 
If j < i we assume that w[i,j] is the empty nested word. For nested ft)-words w, we let vv[/,°°] denote 
the substructure induced by positions / > i. When this is clear from the context, we do not distinguish 
references to positions in subwords w[i,j] and w itself, e.g., we shall often write (w[i,j],i) (= (p to mean 
that cp is true at the first position of w[i,j]. 

Nested words temporal logic (NWTL) is a specification formalism suitable for "call and return" com- 
putations [3]. First we define a summary path between positions i < j in a nested word w. Intuitively, a 
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summary path skips from calls to returns on the way from i to j. The summary path between positions 
i < j in a nested word w is a sequence i = < i\ < ... < i# = j such that for all p < k we have i p+ \ = r(i p ) 
if i p is a matched call and j > r(i p ); or = i p + 1 otherwise. Next, we define NWTL syntax. For an 
alphabet E, the letters of E, T (standing for true), call, and ret are NWTL formulas. NWTL has the op- 
erators: not -i, or V, next 0> abstract next (that skips from a call to its return) 0/i» previous , abstract 
previous Q„, summary until (to be defined below) U a , and summary since S CT . For NWTL formulas 
<Pi,92 the following are NWTL formulas: ^(p\\(p\ V q>2 | O 9i I <Pi 10 <Pi 10 | <PiU fT <P2 1 ^i S CT <}?2- We 
proceed to define NWTL semantics. Let w = W\ . . . w„ or w\ . . . be a finite or infinite word over E. Let 
w = (w, call, ret,\i), and i > 1 be a number bounded by the length of w. Every nested word satisfies T, in 
particular (w, i) \= T. For a letter cr G E we have (w, i) \= o iff a = Wj. (This is can be extended to alpha- 
bets of the type E = 2 AP , that consists of sets of atomic propositions, in the standard way, i.e., (w,i) (= p 
iff p € wi). Boolean operators semantics is standard (w,i) \= ~^(p iff (w,i) (p; and (w,i) \= (p\ V (p2 iff 
(w, i) \= q>i or (w,i) \= <p 2 - We also have (w,i) (= 0<Piff (W,( + l)|=(p and (w, i) \=Q(piS(w,i — l)\= (p. 
We have (w, /) |= caZZ iff i is a call, and (w, i) (= ref iff / is a return. We have (w, /) |= Om 9 iff ' i s a cau 
with a matching return j (i.e., n(i,j) holds) and (w,j) \= (p. Similarly, iw,i) \= 0^9 iff / is a return 
with a matching call j (i.e., holds) and (w,j) \= (p. For summary until we have (w,i) \= (piV a (p2 

iff there exists a j > i for which (w, j) \= (p2, and for the summary path i = i < i\ < . . . < 4 = j between 
i and j we have for every p < k that (w,i p ) \= <pi. Similarly, (w,i) \= (p\S a (p2 iff there exists a position 
j < i for which (vv, j) (= <J>2 and for the summary path j = io < h < ■ ■ ■ < h = i between j and i we have 
for every p £ [k] that (w,i p ) \= <jPi. 

Rather than use NWTL directly, we use here nested-word Buchi automata (NWBA), which are 
known to be at least as expressive as NWTL; in fact, there is an exponential translation from NWTL to 
NWBA 0, analogous to the exponential translation of linear temporal logic to Buchi automata lfl8l . A 
nondeterministic nested word Biichi automaton (NWBA) is a tuple si = (E, Q, Qq, Qf,P,Po,Pf, 8 C , 5;, 8 r ), 
consisting of a finite alphabet E, finite set Q of states, a set Qq C Q of initial states, a set Qf C Q of 
accepting states, a finite set P of hierarchical symbols, a set P C P of initial hierarchical symbols, a set 
Pf C P of final hierarchical symbols, a call-transition relation 5 C C 2 x E x Q x P, an internal transition 
relation 8, ■ C g x E x Q, and a return-transition relation ^CgxPxExg. The automaton =2/ starts in 
an initial state and reads the nested word from left to right. A run r of the automaton over a nested 
word w = (aid2 ■ ■ ■ ,}JL, call, ret) is a sequence qo,qi, ■ ■■ of states, and a sequence ,p; 2 , . . . of hierarchi- 
cal symbols, corresponding to the call positions i\, ii, . . ., such that q$ G Qq, and for each position i, if i is 
a call then (qt-\ ,ai,qi,pi) € 5 C ; if i is internal, then (qt-i ,ai,qi) G 5,-; if / is a return such that then 
(qi-\,Pj,ai,qi) € <5 r ; and if us an unmatched return then (qi-i,p,aj,qj) G <5 r for some 7? G P . Intuitively, 
in a run r, the hierarchical symbol associated with a matched return position i, is the hierarchical symbol 
Pj, associated with the call position j that is matched to i. The run r is accepting if (1) for all pending 
calls i, pi 6 Py , and (2) if w is a finite word of length / then the final state q\ is accepting (i.e., qi G Qf), 
and if w is an ft)-word then for infinitely many positions i, we have qi £ Qf. The automaton s/ accepts 
the nested word w if it has an accepting run over w. 



3 The computational model 

Recursive Components and their composition: To reason about recursive components one has to 
choose a mathematical model for components. The choice of model has to balance the need for a rich 
modeling formalism, for which computationally powerful models are preferred, and the need to avoid 
the pitfall of undecidability, for which simpler models are preferred. 
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A successful sweet spot in this trade off is the computational model of finite-state transducers, i.e. 
finite-state machines with output. A common approach to reasoning about real world systems, is abstract- 
ing away the data-intensive aspects of the computation and model the control aspects of the computation 
by a finite-state transducer. Using this approach, the transducers model is rich enough to model real 
world industrial designs 10 13. For that reason, transducers are widely used in both theory lfl8l H4l |4] 
and practice (HIT], and are prime candidates as a model for "call and return" components. 

To model "call and return" control-flow by transducers, we introduce a small variation on the ba- 
sic transducer model. Essentially, we use transducers in which some states are "call states", where a 
transition to one of these states stands for a call to another component; some states are "return" states, 
where a transition to one of these states stands for a return to the component that called this component; 
and some states are re-entry states, i.e., states to which the component enters upon return from a call 
to another component. Similar models can be found in 0J. Different return values, are modeled here 
by having different re-entry states. The model is somewhat simplified in the sense that a return is not 
constrained in terms of the call state through which the call was made. In software, for example, the 
return is constrained to the instruction following the call instruction (although several return values may 
be permitted). Nevertheless, the model is rich enough to deal with the essence of "calls and returns", and 
the techniques we present can be used to deal with richer models (e.g. each call may be associated with 
a mapping between return states and re-entry states capturing constrained returns as above). We chose 
this simpler model as it allows for simpler notation and clearer presentation of the underlying ideas. 

To simplify the notation, we fix a number uq and assume every component in the library has exactly 
nc calls. Similarly, we fix a number and assume every component in the library has exactly hr return 
points, as well as exactly hr points to which the control is passed upon return. 

A Recursive Library Component (RLC) is a finite transducer with call, return and re-entry states. 
Formally, an RLC is a tuple M = (£/, S, so, Sc, Sr, S,L) where: (1) £/ and Eo are finite input 
and output alphabets. (2) S is a finite set of states. (3) so € S is an initial state. When called by another 
component, the component M enters *o- (4) C 5 is a set of re-entry states. When the control returns 
from a call to another component, M enters one of the re-entiy states in sf. We denote sf = {si,..., s" R } 
(5) Sc C S is a set of call states. When M enters a state in Sc, another component M' is called, and the 
control is transferred to M' until control is returned. We denote Sc = {s-, . . . ,s c c } (6) Sj? C S is a set 
of return states. When M enters a return state, the control is returned to the component that called M. 
We denote Sr = {s R , ...,s R R }. When the i-th return state, i.e. s' R , is entered, control is returned to the 
caller component M', which is entered at his z'-fh re-entry state (i.e., M"s state s' e ). (7) 8 : S x £/ — > S is a 
transition function. (8) L : S — > Lo is an output function, labeling each state by an output symbol. 

The setting we consider is the one in which we are given a library Jzf = {C\ , . . . ,C/} of RLC compo- 
nents. A composition over «£? is a tuple ((l,Ci,/i), (2,C2,fz), ■ ■ ■ , (k,Ck,fk)) of k composition elements, 
in which each composition element is a triple composed of an index i, an RLC C, € jSf , and an interface 
function : 5c — > [k] that maps each of Q's call states into the composition element that is called upon 
entry to the call state. Note that the same RLC can be instantiated in different elements of the com- 
position, but with different interface functions, and the size of the composition is a priori unbounded]! 
While we consider here only finite compositions, we could have considered, in principle, also infinite 
compositions. As we shall see, for NWBA specifications, finite compositions are sufficient. 

A run of the system begins in state so of C\ . When the run is in a state of the component C we say 



If we had bounded the number of elements in a composition, then the number of ways in which these elements can be 
composed would have been finite and the search for a composition that satisfies some specification would have turned into a 
combinatorial search, analogously, for example, to bounded synthesis | 10 1. 
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that the component C is in control. For example, a run begins when the component C\ is in control. For 
every i < k, as long as a component C, is in control, the system behaves as C, until an exit state (i.e. a call 
state or a return state) is entered. If a call state s ] c E Sc of C; is entered then the component Cfjj) is called. 
That is, the control is passed to the /}(_/") -th component in the composition. The run proceeds from the 
start state of Cf t ny If a return state s J R E Sr of Q is entered (when C, is in control), then Q returns the 
control to the component that called Cj. If, for example, C, was called by Cj then when s' R is entered, the 
run proceeds from the re-entry state s™ of Cj. We now define the composition formally. 

Formally, a composition C = ((l,Ci,/i), (2^2,72), ■ ■ ■ , (k,Ck,fk)), where 
Ci = (T.i,T.o,S[i],so[i],Se[i],Sc\i],SR[i],8[i],L[i]}, induces a (possibly infinite) transducer 
M = {L h So,^,d M ,L M }, where: 

1. The input alphabet is and the output alphabet is Zo- 

2. The states of M are finite sequences of the form (ii , ii, • • • , im , s) , where for every j < m we have 
ij E [k], and the final element is a state s E S[i m ] of C im . Intuitively, such a state stands for the 
computation being in the state s of the RLC C, m , where the computation call stack is 11,12, • • • ,i m - 
The initial state of M is ( 1 , so [ 1 ] } where sq [ 1 ] is the initial state of C\ . Formally, Sm = [&]*• (U/e [k] J ' 

si). ' " 

3. Next, we define the transition function 8 M . Let v = (i\,i>i, . . . ,i m ,s) be a state of M. Then, 
8 M (v, g) = V if one of the following holds: 

(a) internal transition: If 8 [i m ] (s,o) = s' for some state s' E S[i m ] \ (Sc [i m ] U Sr [i m ] ) of Q m , then 
v' = (ii, . . .,i,-,s'), where 

(b) call transition: If 8[i m ](s,o) = s' where s' E Sc[/ m ] is the 7-th call state of C, m (i.e., s' = 
s J c [i m }), then v' = . . ,i m J im (j),s [fi m (j)]), 

(c) return transition: If 8[i m ](s,a) = s' where s' E SR[i m ], is the 7-th return state of Q m (i.e., 
s' = 4 [im]), then V = {h , . . . , i m - 1 , s{ [i m _ 1 ] } . 

4. The final state set F M = (\,Sr[\\). Intuitively, the computation terminates when the first compo- 
nent returns. 

5. The output function L m is defined by L m ((i\ ,i m ,s)) = L[i m ](s). 

For an input word w 1 = Wq,w{ . . . E Lf, the transducer M induces an output word w° = Wq , wf, . . . E 
Zq. We denote by w = (w I ,w^),(w\,wf) . . . the combined input-output sequence induced by w 1 . Fur- 
thermore, on the input word w 1 , the composition C induces a nested word w = (w, call, ret, ju) in which w 
is the input-output induced word, call holds in positions in which a component made a call, ret holds in 
positions in which a component returned, and /I maps each call to its return. We sometime abuse notation 
and refer to the word w rather than the nested word w. Similarly we might refer to a computation of, 
or in, a composition meaning a nested word induced by the composition. Similarly, we may refer to a 
computation segment meaning a substructure w[i,j], for some positions i,j, of a computation. 

A composition C realize an NWTL specification (p if all computations induced by C satisfy (p. The 
recursive-library-components realizability problem is: given a library of RLCs Jz? = {Mj}" =l and an 
NWTL specification (p, decide whether there exists a composition of components from the library that re- 
alize (p. The recursive-library-components-synthesis problem is: given a library of RLCs Jz? = {Mj}" =l 
and an NWTL specification (p, decide whether (p is realizable by a composition of RLCs from Jz? and if 
so, output a composition realizing (p. 

Composition trees Next, we define the notion of a composition tree, which is the analog of a control- 
flow tree in lfT2l . Fixing a library Jz? of RLCs, composition trees represent compositions. A composition 
tree is labeled tree z = (T,k), where T, the tree structure, is the set [nc]*, and X : T — > Jz? is a mapping of 
the tree vertexes into Jz?. Every composition C = ((l,Ci ,f\), (2,C2,fi), ■ ■ ■ , {k,Ck,fk)), induces an Jz?- 
labeled composition tree Xq- We first show that C induces a [&]-labeled tree that we call intermediate tree. 
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A labeled tree ([nc]*, k), where K : [n c ]* — > [k], is the intermediate mapping induced by C, if k(e) = 1, 
and, for every v € [nc]* and j E [nc], we have that k(v ■ j) = f K ( v )Q). The composition tree induced 
by C is ([nc]*, A) where for every v € [nc]* we have that A(v) = C K r v y A node v = i\ ■ ■ ■ ik represents a 
call-stack configuration. The node's label A(v) is the component in control, while the labels of the node's 
successors, i.e., A(v • 1), . . . , A(v ■ nc), stand for the components that are called if a call state is entered. 
Intuitively, the control flow of an actual computation is a represented by a traversal in a composition 
tree. The control is first given to the component labeled by the root. For a node v, a call corresponds to a 
descent to a successor (where a call from the z'-th call state corresponds to a descent to the z'-fh successor). 
Similarly, a return from a node v corresponds to an ascent to the predecessor of v. 

Thus, a composition induces a composition tree. On the other hand, a composition tree can be seen as 
an "infinite composition" in which each node v stands for a composition element in which the component 
is the label of v, and the interface function f v maps the call states to the successors (i.e., for every v £ [nc]* 
and i £ [nc] we have f,(i) = v ■ i). So a composition tree induces an infinite composition. We abuse 
terminology and refer to computations of a composition tree, where we mean to refer to computations of 
the induced infinite composition. Furthermore, in Theorem 14 .21 we show how a finite composition can be 
extracted from a regular composition tree. Another abuse of terminology we make is to refer to a labeled 
subtree of a composition tree as a composition tree. 

4 Recursive-library-components synthesis algorithm 

Our approach to the solution of the RLC synthesis problem, is first to construct a tree-automaton s/b 
that accepts composition trees that do not satisfy the specification. Once that is achieved, s/b can be 
complemented to get an automaton s/ which is accepts composition trees that do satisfy the specification. 
Finally, s/'s language can be checked for emptiness and if not empty, a system can be extracted from 
a witness (similar to the algorithm in iflZl ). Thus, the main ingredient in the solution is the following 
theorem (that allows the construction of s/b). 

Theorem 4.1; Let be a library of RLC components, each with n% return states, and let s/m be a NWBA. 
There exists an alternating Buchi automaton on trees (ABT) si ', with at most Oi\s/^ -n^) states, whose 
language is the set of composition trees for which there exists a computation in the language of 's/m. 

Our main result follows from Theorem 14.11 

Theorem 4.2: The recursive library components realizability problem and the recursive library compo- 
nents synthesis problem are 2EXPTIME-complete. 

Proof: The algorithm proceeds as follows. We first translate -i<p into an equivalent NWBA s/^ m , with 
an exponential blow-up [3]. We then construct an ABT s/ for s/^ m according to Theorem 14. II dualize s/ 
into an an alternating co-Biichi automaton on trees (ACT) s/', and check s/ h s language for nonemptiness 
as in [11 J. If the specification is realizable, then the language of s/' contains a regular composition 
tree, for which all computations satisfy (p. Otherwise, the language of sf' is empty. Given a regular 
composition tree ([hc]*,t), it is induced by a transducer (without final states) T = ([nc],^C 1 Q,qo,S,L), 
such that for every w € [nc]*, we have t(w) = L(8*(w)). We assume, w.l.o.g. that the set Q is the set 
[|<2[] of natural numbers, and that go is the number 1. A finite composition can now be constructed in the 
following way: For every state q 6 Q there is a composition element (q,C q ,f q ) in which C q = L{q), and 
for every j € [nc] we have f(j) = 8(i,j). It can then be shown that the constructed composition induces 
the same infinite-state transducer as the regular composition tree (up to component names) and therefore 
satisfies (p. 
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As for complexity, st/'s number of states is quadratic in \si v | and linear in n and b (upper bounding n R 
by b). (Note that quadratic in is exponential in |<p|). The complementation of si into iz/' incurs no 
complexity cost. Finally, checking si' for emptiness is exponential in its number of states. This provides 
a 2EXPTIME upper bound. For a lower bound, note that a "goto" can be seen as a call without a return 
and LTL is a fragment of NWTL. Thus, a 2EXPTIME lower bound follows from the 2EXPTIME lower 
bound in 02). □ 

We now prove Theorem 14.11 There are two sources of difficilty in the construction. First, we have 
to handle here call-and-return computations in composition trees. While computations in composition 
trees in lfl2l always go down the tree, computations here go up and down the tree. Second, here we have 
to emulate NWBA on the computations of composition trees, but we want to end up with standard tree 
automata, rather then nested-word automata. 

Intuitively, given a computation tree as input, our construction would guess a computation of the 
input tree, in the language of sfy, together with an accepting run of sfy, on the guessed computation. As 
mentioned in in the discussion of Composition trees, however, a computation of the composed system 
corresponds to a traversal in the composition tree. Therefore, to guess the computation, i.e., the traversal 
in the input tree, and the computation of siy on it, we employ 2-way-automata techniques. 

Let sim = (Q, <2o, Qf,P,Po,Pf, S c , 5 ( , 8 r ). The construction of si is quite technical. Below we present 
the construction of si, where the introduction of each part begins in an informal/intuitive discussion and 
ends in a formal definition. 

The States of si : Intuitively, si reads an input tree T and guesses an accepting run of sip on a compu- 
tation of that input tree. The difficulty is that a computation cannot be guessed node by node, since when 
a computation enters a call node, we need to consider the return to that node. Thus, when reading a node 
v labeled by component C, the ABT si guesses an augmented computation of C in which there are call 
transitions from call states to re-entry states, and a corresponding augmented run of siy (in which si^'s 
state changes at the end of a call transition of C). Of course, when si guesses a call transition it should 
also verify that there exists a computation segment and a run segment of si v , corresponding to that call 
transition. To verify a call transition from s J c to s k R , the ABT si sends a copy of itself, in an appropriate 
state, to j-child son of the component being read. 

In general, si has two types of states: states for verifying call transition (i.e. computations segments 
between a call and its return), and states for verifying the existence of computation suffixes that do not 
return. An example of a computation suffix that does not return is a computation that follows a pending 
call. States of the first type verify the feasibility of a computation segment, and there exists such a state 
every triple (q,q',i) £ Q 2 X [nR]. If si reads a tree node v in state (q,q',i) it has to verify the existence 
of a computation in which a call was made to v's component when siy was in state q, and the first return 
from v's component is from the i-th return state s l R , when siy is in state q' . States of the second type exist 
for every state q £ Q. If si reads a tree node v in state q it has to verify the existence of a computation 
suffix in which a call was made to v's component when sip was in state q, and si£ has an accepting run 
on that suffix. The initial state of si is of the second type: the initial state qo of si®. 

In fact, the state space of sf must reflect one more complication. The ABT si not only has to guess a 
computation of a system and a run of siy on it, the run of siy must be accepting. For that reason we also 
need to preserve information regarding siq> 's passing through an accepting state during a run segment. 
In particular, when considering a call transition that stand for a computation segment during which siy 
moved from q to q', it is sometimes important whether during that run segment si v passed through an 
accepting state. For that reason, states of the first type (that verify call transitions) come in two flavors: 
First, states {q,q ! ,i, 0) that retain the meaning explained above. Second, states (q, q', i, 1 ) in which si has 
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to verify that in addition to the existence of a computation segment and an siy run segment as above, the 
run segment of siy must pass through an accepting state. Similarly, when si reads a component C while 
in state q, it has to verify there is a computation that does not return on which siy has an accepting run. 
One of the ways this might happen, is that the C would make a pending call to some other component 
C . If this is the case, we need to keep track of whether an accepting state was seen from the entrance to 
C until the call to C . For that reason, states of the type q also have two flavors: (q,0) and (q, 1) (where 
the second type stands for the constrained case in which an accepting state must be visited). Thus, the 
formal definition of si's states set is = Q 2 x [n R ] x {0, 1} |J Q x {0, 1}. 

The transitions of si : Intuitively, when si reads an input-tree node v and its labeling component C, 
the ABT si guesses an augmented computation and a corresponding augmented run that take place in 
C. Furthermore, for every call transition in the guessed augmented computation, the ABT si sends a 
copy of itself to the direction of the call to ensure the call transition corresponds to an actual computation 
segment. Thus, if the call transition is from s J c to Sg and siq, is moves from q to q' on that transition, 
then for some b € {0, 1} the ABT si sends a state (q,q',k,b) to the j-th direction (how b is chosen is 
explained below). The transition relation, therefore, has the following high level structure: a disjunction 
over possible augmented computations and runs, where for each augmented run a conjunction over all 
call transitions sending the corresponding si's states to the correct directions. 

Before going into further detail, we introduce some notation: Given an augmented computation of 
C that begins in state s and ends in state s' and an augmented run of siy on it that begins in state q and 
ends in state q' we say that the beginning configuration is (s,q) and the final configuration is (s',q r ). 
Transitions of si® that have to do with calls or returns have a hierarchical symbol associated with them. 
If the composition C is in state s, the ABT si is in state q and a hierarchical symbol p is associated then 
the configuration is (s,q,p). Given two configuration c\ and C2 then C2 is reachable in C from c\ if there 
exists computation segment of C, that contain no call transitions, that begins in c\ and ends in ci- The 
configuration C2 is reachable through accepting state in C from c\ if there exists computation segment of 
C, that contain no call transitions, that begins in c\ and ends in C2, and on which si v visits an accepting 
state. 

Next, we describe the transitions out of a state (q,q',k,0). This is the simplest case as it does not 
involve analyzing whether an accepting state of siy is visited. Assume si is in state {q,q',k,0} when 
it reads a component C. Intuitively, this means that si has to guess an augmented computation of C 
that begins at C's initial state, and ends in C's k-th return state, and an augmented run of si v on that 
computation that begins in state q and ends in state q' . In fact, instead of explicitly guessing the entire 
augmented computation and run, what si actually guesses are only the call transitions appearing in the 
computation, and the state transitions of siy corresponding to these call transitions. These are needed 
as they define the states of si that will be sent in the various directions down the tree. The computation 
begins when C is in its initial state so, and siy is in state q. Thus the beginning configuration is (so,q). 
The first call transition source is some call state s^ of C, some state q\ of si v and a hierarchical symbol 
p\ of si<p. Thus the first computation segment ends in configuration {sQ ,qi,pi). Note that it must be 
the case that the configuration (s^,qi,pi) is reachable in C from (so,q). The target of the call transition 
is some configuration (s^ ,q\,pi). At this stage, i.e. when si reads C, the target configuration is only 
constrained by sharing the hierarchical symbol with the call transition source. The constraints on the 
possible states in the target configurations depend on components down the tree that si will read only at 
a later stage of its run. The configuration which is the source of the next call transition, however, again 
has to be reachable from (s^ , q[ , p i ) . 
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Our approach, therefore is to define a graph Gc whose vertexes are configurations, and there exists 
an edge from a source configuration to a target configuration if it is possible to reach the target from the 
source (see earlier discussion of configurations). Recall the notation C = CLi,Lo,S,so,s^,Sc,Sr,8,L), 

where sf = {4}"=i> S c = W c }Zv and S R = { s r}"=v The vertex set V c of G c is the union of four 
sets: (1) Initial configurations {sq} x Q. (2) Call configurations Sc x Q x P. (3) Re-entry configurations 
Sg xQx P. (4) Final configurations {s R } x Q. 

There are two types of edges in Gc- Component edges reflect reachability in C. There is a component 
edge in Gc from configuration c\ to configuration C2 iff C2 is reachable in C from c\. Call edges capture 
call transitions and the corresponding state changes in siy. There is a call edge in Gc between c\ = 
(s,q,p) and C2 = (s',q',p') if s is a call state, s' is a re-entry state, and p = p'. 

An augmented computation and run of szfy on it, correspond to a path in Gc- When srf is in state 
(q,q',k,0) and reads a component C it guess a path in Gc from (so,q) to (s R ,q'). If there exists such 
a path in Gc there exists a short path of length bounded by \Vc\, i.e. the number of vertexes in G. 
We denote by Path(q,q' ,s R ) the set of paths from (so,q) to (s R ,q r ) of length bounded by \Vc\- For 
each path n € Path(q,q' ,s R ), we denote by Ec(n) the set of call edges appearing in %. For a call edge 
e = ((s' c ,q,p),(s J e ,q' ,/?)}, we denote sc{e) = i, so(e) = j, q(e) = q, and q'(e) = q'. The transitions from 
(q,q',k,0) are defined: 

8({q,q',k,0),C)= \/ A (sc(e),(q(e),q'(e)Me),0)). 

7CePath(q,q',s k R ) eeE c {TC) 

Intuitively, a path in Gc is guessed and for each call edge e, the state (q(e),q'(e), so(e),0) is sent in 
the direction of the call, i.e. sc(e). 

Next, we describe the transitions out of a state (q,q',k, 1). This case a very similar to the case of 
transitions out of (q,q',k,0) outlined above. The difference is that in this case must visit an accepting 
state during its augmented run. There is no restriction, however, that the accepting state will be visited 
when the control is held by the component C. It is possible that the accepting state will be visited when 
some other (called) component is in control. Intuitively, as in the {q,q ! ,k,0) case, the ABT srf guesses 
a path in Gc from the initial to the final configuration, in addition, srf guesses an edge from the path in 
which an accepting state should be visited. For component edges, it is possible to make sure that guessed 
edges represent computations on which srfy visits an accepting state. For call edges, the task of verifying 
that an accepting state is visited, is delegated to the state of srf that is sent in the direction of the call (by 
sending a state whose last bit b is 1). 

Formally, a component edge in Gc from configuration c\ to configuration c-i is an accepting edge 
iff C2 is reachable in C through an accepting state from c\. Note that if there exists a path from a 
configuration c\ to configuration C2 that visits an accepting edge, then there exists one of length at most 
2\Vg\ (a simple path to the accepting edge and a simple path from it). For q,q' G Q, Sr € Sr, we denote 
by Path a (q,q' ,s k R ) a set of pairs in which the first element is a path % of length at most 2\Vc\ from (so,q) 
to (s R ,q'), and the second element is a function / mapping the edges in n into {0, 1} such that: 

1. Exactly one edge is mapped to 1, and 

2. If the edge mapped to 1 is a component edge then it is also an accepting edge. 
Finally, 

8((q,q',k,l),C)= \/ A (sc(e),(q(e),q'(e)Me)J(e)))- 

(x,f)ePath a (q,q>,s k R ) eeE c {jt) 

Next, we describe the transitions out of a state (q,b), for b € {0, 1}, in which srf has to verify there 
exists an accepting augmented computation of C that does not return, and a run of on it. There are 
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three distinct forms such a computation might take. (1) First, it is possible that the computation has a 
infinite suffix in which C remains in control. (2) Second, it is possible that the eventually the component 
makes some pending call. (3) Finally, it is possible that the computation contains infinitely many calls 
to, and returns from, other components. We deal with each of the case separately, we construct a partial 
transition relation for each case, the transition relation itself is the disjunction of these three parts. 

First, to deal with infinite (suffixes) of computations that never leave the component, we modify 
the graph Gq to consider such runs. We introduce a new vertex _L that intuitively stand for "an infinite 
(suffix) of a computation in C, and an accepting run of g/y on it". There is an edge from a configuration 
c to _L, if there is an exists an infinite computation of C that begins in configuration c, never enters an 
exit state, and there exists an accepting run of s^y on it. There are no edges from _L. 

The first part of the transition relation is 

S l ((q,b),C)= \/ A Me),(q(e),q / (e)Me),0)) 

7iePath(q,±) eeEc(n) 

Second, we have to deal with computation segments that end in a pending call. These types of 
computations are easily dealt with in terms of paths in Gq to a configuration in which the state is a call 
state. We would like to note two details. First, note that by the definition of an accepting run of an 
NWBA, the hierarchical symbols associated with pending calls must be from the set Pf. Second, note 
the difference between states of type (q,0) and type (q, 1). In the (q,0) case there is no constraint that 
has to do with <e^'s accepting states. Therefore, the second part of the transition relation is 

&(M),C)= V V V ((*><</,*» A A Me)Me),J(e)Me),0))) 

£ £ 5 C 7cePath(sl,q,q',p) be{0,l\ eeE c (n) 

q'eQ, 
pePf 

In the (q,l), case an accepting state of siy must be visited, therefore the second part of the transition 
relation is 

&2({q,\),C)= V V V ((*><</»*» A A (sde),{q(e),q'(e)Me),f(e)))) 

4 G 5 C , {x,f)£P<Xh tt {s k c ,q,q',p) be{Q,l} eeE c {n) 

peP f 

We have to deal with suffixes of computation that contain infinitely many call to, and return from, 
other components. Such computations must contain a configuration that appears twice. A p-path in Gq is 
a path in Gq in which the last vertex is visited more then once along the path (intuitively, closing a cycle). 
The part of the path between the first and last occurrences of the last vertex is the cycle. As we require 
£/q,'s run to accept, an accepting state from Qf should be visited during a segment of a computation that 
correspond to an edge on the cycle. An accepting p-path is a path in which one of the edges along the 
cycle is accepting. There exists an accepting p-path iff there exists an accepting p-path of length at most 
3 1 Vc | (a simple path to the cycle, and a cycle of length at most 2|Vc|). 

For q, e Q we denote by p-Path(q) a set of pairs in which: (1) the first element 7T is a p-path of length 
at most 3Vc starting at (so,q); (2) the second element is a function / mapping the edges in n into {0, 1} 
such that: (1) exactly one edge is mapped to 1, this edge is on the cycle, and (2) if the edge mapped to 1 
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is a component edge then it is also an accepting edge. The third part of the transition relation is 

S 3 ((q,b),C) = \/ A (sc(e),(q(e),q'(e)Me),f(e))) 

(7i,f)ep-Path(q) eeE c (n) 

Finally, for a state (q, b) the transition relation is 

5((q,b),C) = 5 1 ({q,b),C)V5 2 ((q,b},C)V& } ((q,b),C) 

This concludes the definition of the transition relation 

Accepting states of £/ : Finally, the set F of srf\ accepting states is the set Q x {1}. Intuitively, in an 
accepting run tree of srf , each path is either finite, i.e. ends a nodes whose transition relation is true, or 
an infinite path of states that correspond to pending calls. For the run to be accepting, an accepting state 
must be visited infinitely often along such infinite path of pending calls. As we defined the accepting- 
states set to be Q x {1}, an infinite path of pending calls is accepted iff in the run of #/y visits an srfy 
accepting state infinitely often. This concludes the main construction, 

We now prove the correctness in several stages. First, we prove a claim regarding states of the form 
(q,q',i,b). 

Claim 4.3 For a composition tree T, there exists a finite accepting run tree of A^ q ' q ' on T iff there 
exits a computation % of the composition induced by T, such that: 

1. n ends by returning from the i-th return state s' R of T's root. 

2. there exists a run r of on the word induced by n that ends in q'. 

Furthermore, for states (q,q',i, 1) the iff statement is true for a run r that visits an accepting state from 

Qf- □ 

Proof: Assume first that there exist computation % and run r as claimed. We prove that there exists a 
finite accepting run tree of stf^ q - q ^ on T . As the computation % returns from the root, the depth h of the 
subtree traversed by n in T is bounded. The proof is by induction on the depth h. The base case is a depth 
1, i.e., only the root component is traversed. Then, the existence n implies there exists an edge in Gc 
from {so,q) to (s' R ,q'}. Therefore, there exists a path in Gc, between these vertexes, that does not contain 
any call edges. Thus, the transition relation evaluates to true, implying that there exists a finite accepting 
run of g/te'Q >''°) on T. Furthermore, if r visits a state from Qf then the relevant edge is an accepting edge 
and there is an accepting run of srf( q,q 1 on T. Assume now, the induction hypothesis for traversal of 
maximal depth h, we prove it for traversals of maximal depth h+ 1. The computation % can be broken 
into segments in which the control is in the root component and segments in which some other (called) 
components are in control. Each segment corresponds to an edge of Gc, where segments of computation 
in which the root is in control, correspond to component edges, and the rest of the segments correspond 
to call edges. Each call edge, correspond to a successor of the root in the composition tree, and for 
each call edge, the induction hypothesis implies the existence of accepting run tree on the corresponding 
composition subtree. Thus there exists an accepting run tree as claimed. Furthermore, if r visits Qf 
then the visit is made during some computation segment. The edge corresponding to that computation 
segment can be mapped to 1 by the function / from the definition of the transition relation for (q, q' , i, 1 ) . 
It follows that if r visits a state from Qf then there exists a an accepting run of s^^ q on T. 

Assume now a finite accepting run tree of sd^ q,q ' exists, we prove the existence of a computation 
% and a run r as needed. The proof is by induction on the height h of the accepting run tree. The base 
case is a run tree of height 1 . Then, the transition relation S must evaluate to true on the root. Thus, the 
path in Gc contains no call edges, and therefore by the definition of 5 there exist n, and r as claimed. 
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Furthermore, if b = 1, the component edge must be an accepting edge implying that r visits Qf. Assume 
now, the induction hypothesis for run trees of height h, we prove it for run trees of height h + 1. The run- 
tree root is labeled by some set S of pairs of directions and ^-states that satisfy 8. This choice of states 
and directions corresponds to a path in Gc, in which some edges are call edges and some are component 
edges. By the definition of 8 there exist computation segments corresponding to component edges, and 
by the induction hypothesis there exist computation segments corresponding to call edges. Splicing these 
computation segments together we get the a computation %, and r as claimed. Furthermore, if b = 1 then 
one of the edges is an accepting edge and therefore, r visits Qf. □ 

By very similar reasoning, we can show that there exists a finite accepting run tree of A^ q ' b ' on a 
composition tree T, iff there exists a computation % of T such that: (1) n's traversal is bounded in a finite 
subtree of the composition tree ; (2) % never returns from the root of T; and (3) there exists an accepting 
run r of g/y on %. Unlike, the (q,q',i,b), however, we have also to consider runs that are not bounded in 
a finite subtree of T. Next, we show that it is enough to consider computations that make infinitely many 
pending calls. 

Observation 4.4 For a library L, an NWBA s&y and a composition tree T if there exists a computation 
K ofT, in L(s/m), in which a node v GT is visited infinitely often then there exists computation %' ofT, 
in L(£/(p), that only traverses a finite subtree ofT. 

Proof: First, note that it is enough to show that there exists a computation %' of T, in L^gfy), such 
that %' only traverses a finite subtree of the subtree rooted at v (regardless of what happens outside that 
subtree). The reason is w.l.o.g. v can be assumed to be a node of minimal depth that is visited infinitely 
often by it. As such, the computation must eventually remain in the subtree rooted at v (since if v is not 
the root, v's predecessor is visited only finitely often). 

Next, let 7Fi,7F2 be two computation segments of n, and r\ji be the corresponding parts of ^,'s 
accepting run on % such that: 

1. %\ and %2 begin by entering the same call state s' c . 

2. r\ and r 2 begin by the same &/y state q. 

3. %\ and K2 end when the control is returned to v by the same re-entry state s{. 

4. r\ and r 2 end in the same g/y state q' . 

5. r\ visits Qf iff r 2 visits Qf. 

Then, %\ and 7T 2 are interchangeable while the resulting computation still satisfies (p. Thus, while v is 
returned to infinitely often, there are only finitely many equivalence class of interchangeable computation 
segments. Choosing a single representative from each equivalence class, we can splice a computation 
whose traversal depth is bounded by the traversal depths of the representatives. □ 

Observation 14.41 implies that if there is a computation, in L(«e^), that traverses an unbounded subtree 
of the composition tree, and does not make infinitely many pending calls, then there is also a compu- 
tation, in L(£/(p), that traverses a finite subtree of the composition tree. Therefore, when considering 
computations that traverse an unbounded depth subtree of a composition tree, it is enough to consider 
compositions in which the computation, whose word is in L(<e^p), has infinitely many pending calls. The 
definition of =«/'s accepting states set ensures correctness with respect to such computations. An accept- 
ing run tree, of sf^ on T, with an infinite path, must visit infinitely often an accepting state (i.e., a state 
(q,l)) which means it is possible to construct a computation of T that makes infinitely many pending 
calls, and on which sfy would have an accepting run. On the other hand, an accepting computation of 
sfq, that makes infinitely many pending calls, implies the existence of an accepting run tree of srf, with 
an infinite path that visits an accepting state infinitely often. 
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Finally we provide a complexity analysis. For a NWBA with states, and a library with 
mi components in which the components are of size mc, the construction presented here, creates an ABT 
£/ with at most 0(n^ ■ mc) states. Note, however, that the number of states does not tell the entire story. 
First, the computation of 8 involves reachability analysis of the components. Luckily, the reachability 
analysis is done separately on each component (in fact, the Cartesian product of each component with 
s/q,) and therefore the complexity is Oin^ ■ mc ■ mi). On the other hand, is an alternating automaton 
with a transition relation that may be exponential in the size of the its state space. Thus, s/ can not 
be computed in space polynomial in the parameters. The computation of s$ involves an analysis of the 
paths in Gc and requires space polynomial in n^ and mc- 



5 Discussion 

We defined the problem of NWTL synthesis from library of recursive components, solved it, and shown 
it to be 2EXPTIME-complete. We now note that the ideas presented above are quite robust with respect 
to possible variants of the basic problem. 

The model was chosen for simplicity rather than expressiveness, and can be extended and general- 
ized. First, we can consider several call values per component. This translates to each component having 
a set So C S of initial states (rather than a single initial state sq G S). Next, we can add greater flexibil- 
ity with respect to return values. A single return value may have different meanings on different calls. 
Therefore, compositions might be allowed to perform some "return-value translation"; matching return 
states to re-entry states per call, rather than matching return states to re-entry states uniformly. This can 
be modeled by augmenting each composition element (i,Cj,fi) by another function r ( : Sc — > ([ng] —> ) 
that maps each call state into a matching of return values to re-entry states. The synthesis algorithm, for 
the augmented model, remains almost the same. In the augmented model, a component implementation 
depends on the call value sq € So and the r,- function. Therefore, instead of working with composition 
trees, labeleded by Jzf, we'd work with augmented composition trees, labeled by tuples (C,so,r,-). Our 
algorithm and analysis can then be extended appropriately. 

Another possible extension might be to consider bounded call stacks. Theoretically, "call and return" 
models allow for unbounded call stacks. Real life systems, however, have bounded call stacks. One can 
consider a variant of the synthesis problem, in which the output must have bounded call stack, where the 
bound is an output of the synthesis algorithm, rather then an apriori given input. To adapt the algorithm 
to this case, we have to find a finite composition tree in which all computations satisfy <p, as well as no 
computation makes a call from a leaf (ensuring bounded stack). To that end, we construct two alternating 
automata on finite trees (AFTs). First, an AFT stf\ for finite composition trees in which there exists a 
computation violating (p. The AFT s/\ is simply the ABT from Theorem 14.11 when considered as an 
AFT, and in which no state is considered accepting. In addition, we construct an AFT that accepts 
trees that may perform a call from one of the leaves (see longer version of this paper.) The union of 
the languages of &f\ and s/2 contain all finite composition trees that do not realize (p. An AFT for the 
union can then be complemented and checked for emptiness as in the infinite case. Thus, the solution 
techniques presented in this paper are quite robust and extend to natural variants of the basic model. 
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